GDPR: T minus 10 days
The clock is ticking, are you ready?
It’s fair to say that if you haven’t heard or read about GDPR, you’ve probably not picked up a newspaper or turned on the internet for a year — in fact I’m surprised by how many non-techie people I know whose eyes glaze over at the very mention of it.
Adopted in 2016, the General Data Protection Regulation deadline of 25 May 2018 has become ingrained into the minds of every techie, marketer, privacy officer and CEO but with just over a week to go, there’s a fair few of you that haven’t yet taken the necessary steps to avoid being caught out. Back in February, research stated that two thirds of organisations weren’t prepared for GDPR, with a further 82% admitting to having no idea where their customers’ sensitive information was being held. Which begs the question, if you’re not GDPR-ready, is there anything you can do in the final few days?
What the GDPR expects from you
We’ve had decent data protection laws in Europe up to now, but GDPR extends the scope — so instead of just encompassing email addresses or medical information, GDPR mandates that customer information includes photos, social media profiles and even browser history. Furthermore, it’s not just about organisations based in Europe, the GDPR effects any entity with customers who reside in the region. Finally, with the GDPR comes the eye-watering fines for non-compliance and worse still, negligence.
Article 5 of the GDPR states that personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Now, ‘appropriate’ is a loose term, but we all know that it’s more than just thinking about data protection and showing a willing to keep your customer data safe. So, what is ‘appropriate’?
Becoming compliant at the eleventh hour
Get yourself a data protection officer (if it’s required of your organisation) — you’ll be hard pressed to find one so late in the day, but these people will help you to get your ducks in a row. If you can’t find a permanent DPO or consultant in the next 10 days, at least get this initiative into your strategy today.
How clear is your language around privacy policies and customer consent? If it takes a team of legal minds to unpick the policies, then you need to rethink how you’re describing them. GDPR is about giving customers back the control of their personal information — if they don’t understand how to do this, then you’re not complying.
Implement appropriate technical measures to ensure that the personal data that you hold, is secure. Encryption is a way to ensure the data becomes unintelligible and unless you’ve been hacked by an encryption-cracking mastermind, your data will remain safely ambiguous.
How about protecting against accidental loss? Phishing remains a major concern for IT teams, and now taking adequate steps to ensure hackers and scammers can’t fool customers by sending emails from a spoofed email account with your domain name means you could avoid those costly fines.
Email protocols have been in place for a numbers of years to ensure your emails can’t be forged, but domain-based, message authentication, reporting and conformance (DMARC) is the first type of tech that can ensure the ‘from’ header is legitimate. This means your customers know that emails they receive with your domain in the sender address can be trusted and they’re not going to be phished. With DMARC in place, you’re more likely to discourage criminals from trying to use your identity to phish your customers. Equally your sales and marketing teams will know that in a post-GDPR world, nearly all the emails they send will reach their intended recipients, whether sent directly or through GDPR compliant Marketing campaigns.
This is by no means a complete guide to GDPR compliance, but we hope it can steer you in the right direction if you’re beginning to panic about the May 25th deadline. Taking reasonable and appropriate measures to avoid data theft isn’t rocket science and there are a number of vendors that can help with encryption, DMARC and security solution implementation — give us a shout if you need any recommendations! Tick tock…
